TMT 2025 Comparisons

General Overview

E-commerce and the digital economy in Mexico are regulated through general laws, including the Civil Code, Commercial Code and Consumer Protection Law, rather than through specific e-commerce legislation. These regulations are designed to be technology-neutral, though amendments sometimes address digital-specific matters. There is no overarching framework solely governing e-commerce activities.

Local e-Commerce Regulation

In 2018, the Mexican government introduced voluntary guidelines (NMX-COE-001-SCFI) for businesses operating digital platforms to promote or sell goods and services. These guidelines set standards for advertising transparency, online transaction security, cross-border commerce and consumer protection. Notably, they clarify the roles and liabilities of digital platforms versus sellers, with platforms generally being held accountable only for their specified activities.

Efforts to convert these guidelines into binding Mexican Official Standards (Normas Oficial Mexicana; NOMs) began in late 2024. This process aims to ensure enforceable compliance, with implementation anticipated in 2025.

USMCA

The United States-Mexico-Canada Agreement (USMCA) modernises e-commerce regulation under Chapter 19, addressing digital trade, cybersecurity, algorithms and intermediary liability. It prohibits customs duties on digital products, promotes privacy and consumer protection and ensures safe harbour provisions for intermediaries. Although Mexico has not formally incorporated USMCA provisions into its statutory framework, the Supreme Court has upheld their direct application through case law, allowing their enforcement without formal domestic legislation.

Fintech

The 2018 Fintech Act regulates two types of institutions and two business models. The first category of institution includes electronic payment fund institutions (EPFIs; instituciones de fondo de pago electrónico or IFPEs) and investment fund companies (IFCs), which require authorisation from both the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores; CNBV) and the Bank of Mexico (Banxico). Approval is granted by an inter-institutional committee involving the Ministry of Finance (Secretaría de Hacienda y Crédito Público; SHCP), CNBV and Banxico. EPFIs can manage electronic payment accounts, participate in payment networks, facilitate fund transfers and handle national and foreign currencies. Virtual asset operations are limited to internal purposes, with strict segregation from client resources and prior Banxico approval.

The second type of institution is the collective funding institution (CFI), or crowdfunding platform, which intermediates between investors and funding applicants and offers debt, equity and co-ownership or royalty-based financing. Royalty financing refers to sharing profits or losses from projects, not intellectual property (IP) rights.

The Fintech Act also regulates virtual assets, including cryptocurrencies, defining them as electronically registered value representations used for electronically transferable payments. Their use is subject to guidelines such as Circular 4/2018 and Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros (CONDUSEF; the National Commission for the Protection and Defense of Users of Financial Services) provisions, requiring disclosures about risks and compliance with anti-money laundering rules. The Mexican Central Bank has not approved any public cryptocurrency from fintech companies.

Innovative model sandboxes allow business models outside existing financial regulations to operate with temporary, two-year authorisation. These sandboxes function under controlled conditions, with geographical and client limitations. The framework includes regulated and unregulated sandboxes, but no sandbox has been authorised to date despite collaborative efforts.

The Fintech Act mandates application programming interfaces (APIs) for standardised data sharing between financial entities, enabling open financial data, aggregated information and transactional data exchanges with user consent. APIs facilitate open banking by promoting innovation and efficiency, but the lack of detailed regulations has required industry adaptation.

The Fintech Act aims to create an integrated, efficient financial services ecosystem, fostering innovation while ensuring competitiveness, transparency and security in Mexico’s digital finance sector.

Transportation and Food Delivery Apps

The December 2024 amendment to the Employment Act, introduced under President Claudia Sheinbaum, aims to recognise drivers and delivery workers for digital apps as formal employees. These workers would gain rights akin to traditional employees, such as bonuses, social security, flexible work schedules, algorithmic transparency, risk insurance and other benefits. However, the amendment misunderstands the gig economy’s structure, leading to significant criticism. With secondary regulations still pending, constitutionality challenges are anticipated.

Temporary Hosting Services Apps

In response to concerns about gentrification and competition with traditional hospitality, Mexico City Congress recently amended the Tourism Act to regulate temporary hosting service platforms. The statute imposes strict requirements, including mandatory government registries for platforms and hosts, regular data disclosure and caps on listings, such as limiting hosts to three properties or allowing listings for only 50% of the year. Platforms are also held jointly liable for hosts’ obligations. Critics argue that the amendment misclassifies digital hosting services as tourism services and implements anti-competitive measures. Legal challenges are already underway, though other states are considering adopting similar regulations.

Digital Advertising

Digital advertising remains largely unregulated in Mexico. A 2021 law designed to ensure transparency and prevent unfair practices in advertising services was struck down by the Supreme Court in 2023 for being unconstitutional. Separately, the Consumer Protection Agency (Procuraduría Federal del Consumidor; PROFECO) issued guidelines for influencer and digital content marketing, attempting to establish basic rules and recommendations for these activities. On the other hand, in matters related to sanitary advertising, the Regulations of the General Health Act on Advertising set forth the rules in connection with the advertising of health-related goods, products and services.

In recent years, Mexico’s competition regulator, the Federal Economic Competition Commission (Comisión Federal de Competencia Económica; COFECE), has launched investigations into various aspects of the digital economy, including the markets for digital payment processing, services, advertising and e-commerce. However, these investigations remain inconclusive. The creation of a new competition agency under constitutional amendments could further delay their resolution. This agency will absorb COFECE and the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones; IFT), consolidating competition law enforcement across all sectors and implementing asymmetric regulations in telecommunications and broadcasting. This new entity, with its own legal standing and assets, will likely operate under the Ministry of Economy.

Under President Claudia Sheinbaum, significant structural changes are underway. The autonomous privacy regulator – ie, the National Transparency Institute (Instituto Nacional de Transparencia; INAI), will merge with the Public Service and Transparency Secretary, and a new Science and Technology Secretary will be established to oversee digital innovation. A Digital Transformation Office will also be created, which could have a substantial impact on the industry. The government has expressed plans to enact new laws, including a Cybersecurity Law, a Nearshoring Law, and a Digital Simplification Law, as well as initiatives to attract investment in AI, semiconductors, robotics and data centres.

Tax regulations for the digital economy include a corporate income tax (CIT) of 30% for Mexican residents on income from goods and services, alongside a value added tax (VAT) of 16% under the Mexican Value Added Tax Law (MVATL). Non-resident digital service providers must register with the Mexican Tax Authority (Servicio de Administración Tributaria; SAT) under a simplified regime, collect VAT from Mexican users and remit it monthly. These measures aim to ensure equitable taxation in the evolving digital economy.

Companies providing digital services in Mexico, both domestic and foreign, encounter several challenges.

• VAT credit: The MVATL is silent with respect to the possibility of crediting any VAT input for non-resident companies, which are required to register before the MTA for VAT purposes.
• Registration and reporting requirements: Non-resident companies must register before the MTA, a process that may be unfamiliar to businesses outside Mexico. The simplified regime for digital services reduces some of the administrative burden but still requires monthly reporting and payment compliance.

• Electronic invoicing: Mexican legislation mandates the issuance of digital invoices (comprobantes fiscal digital por internet; CDFIs) for transactions. Understanding technical specifications and ensuring accurate issuance is a significant challenge for new entrants.

• Ambiguities in cross-border taxation: Determining the source of income for CIT purposes under the Mexican Income Tax Law (MITL) can be complex, especially when distinguishing between digital and traditional business models as well as in relation to the application of tax treaties, including multilateral instruments.

Penalties for Non-Compliance

Non-compliance can lead to penalties, including fines and restrictions on the provision of services to Mexican customers.

Mexican tax residents are subject to CIT at a 30% rate on income derived from the provision of services, such as digital advertising. Additionally, they are subject to VAT at the general rate of 16%.

Additionally, digital advertising services may trigger withholding taxes if the revenue is deemed to have a Mexican source. However, it is important to conduct a case-by-case analysis to determine whether a double taxation treaty (DTT) to which Mexico is a party may apply. To ensure compliance with Mexican tax laws, companies should:

• register with the MTA – non-resident providers must comply with the VAT regime for digital services under the MVATL if applicable, which includes timely registration, monthly VAT reporting and payment;
• maintain accurate records – keep detailed records of Mexican transactions and ensure proper documentation for tax compliance;
• issue compliant electronic invoices – adhering to CFDI standards is mandatory for transactions involving Mexican customers; and
• monitor legislative changes – Mexico frequently updates its tax regulations, and staying informed on changes, such as new provisions or enforcement mechanisms, is critical for ongoing compliance

In Mexico, consumer protection regulation is technology-neutral, applying the same rules to traditional commerce and e-commerce. The Consumer Protection Law is broad enough to encompass digital goods and services, and a pending e-commerce NOM aims to establish specific standards and obligations for entities engaging in e-commerce. This NOM will regulate digital assets, services and transactions, requiring minimum consumer protection measures from providers who habitually market or sell goods or services through electronic means.

The Consumer Protection Act, along with the anticipated NOM and other regulations, mandates suppliers to adhere to rules that ensure consumer rights. PROFECO, the consumer protection regulator, has issued binding and non-binding guidelines for various sectors and situations, including online activities. These regulations apply across digital platforms such as social media, websites and apps, particularly for industries like food and beverages, cosmetics, hygiene products, financial services and tourism.

To uphold consumer rights, companies should design their business models and agreements around principles such as fairness, transparency, competition and quality. Conducting legal and compliance due diligence can help identify, mitigate and prevent risks, be they legal, economic or reputational.

PROFECO is authorised to handle consumer complaints, individually or collectively, submitted in various formats including by written, oral, telephone or electronic means provided they meet legal requirements. Agreements ratified by PROFECO are legally binding and enforceable through expedited or executive proceedings. PROFECO also facilitates conciliation services, which can be conducted via phone or other means, with written confirmation required for any commitments. In cases involving minors, conciliation is bypassed to ensure their rights are safeguarded. If conciliation fails, PROFECO encourages arbitration by either its own mediators or an independent arbitrator. Arbitration ensures fairness, legality and equity, and can occur without prior complaints or conciliation. If arbitration is declined, the parties’ legal rights remain unaffected.

For TMT companies, minimising disputes involves implementing transparent and accessible complaint mechanisms, such as written, electronic and telephone channels, in order to prevent these claims from reaching the authorities. These methods should be clearly explained in their terms and conditions (T&C), a frequently asked questions (FAQ) section or specific guidelines provided by the company. Providing structured resolution frameworks, including conciliation and arbitration, fosters trust and fairness. Conflict often arises from poorly designed complaint systems, such as AI-based chats lacking escalation options or failing to address non-standard issues promptly. Proper management of reimbursements and complaints, especially regarding service quality, is essential. Companies should focus on vulnerable groups, like minors, ensuring their rights are protected. Independent arbitration options and adherence to principles of legality and equality bolster a company’s credibility while demonstrating its commitment to consumer protection.

Blockchain is not directly regulated in Mexico but is addressed through the Fintech Law, which governs virtual assets, digital payments, crowdfunding and sandboxes. The law classifies virtual assets (commonly called cryptocurrencies) as non-legal tender and strictly limits their use by fintech institutions. These assets are confined to internal purposes, must be segregated from client assets and are subject to stringent oversight.

Trading and custody of virtual assets are not activities permitted for fintech institutions in Mexico. For example, Bitso’s IFPE entity, Nvio, manages wallet services in national currency only, avoiding virtual asset handling. Companies like Bitso and Binance operate fiat-to-virtual asset conversions in jurisdictions like Gibraltar, reflecting the cautious stance of Mexican regulators on domestic virtual asset activities.

The Fintech Law narrowly defines “Fintech” according to three regulated categories, each subject to strict compliance standards akin to those for banks and financial institutions. Requirements include rigorous know your customer (KYC) processes for shareholders and administrators, minimum capital thresholds and high technological infrastructure standards. These regulations pose significant challenges for fintech companies looking to operate in Mexico.

In Mexico, cloud and edge computing lack specific regulation and are governed indirectly under existing laws, particularly the Privacy Law, Article 52 of which defines cloud computing as the external provision of on-demand services, including infrastructure, platforms or software. Cloud providers, such as data controllers or processors, must comply with specific rules and obligations.

INAI offers compliance guidance through the “Minimal Suggested Criteria for Hiring Cloud Computing Services Involving Personal Data Processing”. Draft cybersecurity laws under discussion may designate cloud services as critical infrastructure, requiring stricter security standards. Existing regulations like NOM-151-SCT1-2016 address data integrity and conservation.

Confidentiality in cloud services relies on private agreements and industry standards, with trade secrets protected under the Copyright Law. Other copyright provisions may apply depending on data use. General civil, commercial and regulatory laws govern relationships with cloud and edge providers, as no distinct regulations for these technologies exist.

There are some relevant rules specific to the public sector:

• the public sector has its own specific Privacy and Data Protection Law;
• the 2018 guidelines and an Official Agreement (Acuerdo) issued in 2021 by the Presidential Office’s Digital Strategy Bureau promote the safe use of technology by the government, including rules for data centres and cloud services;
• the recently created Intersecretarial Commission of Information Technologies is the body expected to issue regulations on cloud and edge computing;
• some agencies and states have provided guidelines and regulations for the acquisition and safe use of technology, particularly for law enforcement agencies; and
• NMX-I-27018-NYCE-2021, which is non-binding, provides rules for the protection of personal data located in public cloud services.

The banking and finance sectors in Mexico lack specific regulations for cloud services, operating under the general rules outlined in existing regulations (circulares). These regulations govern information technology service acquisitions, including of cloud services, and address cybersecurity and risk management. Depending on the nature of the service and the provider’s access or administrative privileges, contracting cloud services may require notification or authorisation from financial regulators.

The regulation of artificial intelligence (AI) in Mexico is still in its early stages. Although Congress has yet to pass comprehensive AI legislation, numerous bills are under discussion, and a special commission has been established to address the topic. These proposals primarily focus on criminal issues, with some addressing privacy, IP and the governance of AI. The National AI Alliance (Alianza Nacional Inteligencia Artificial; ANIA), an advisory body to the Senate, has introduced a six-year roadmap for AI regulation, emphasising topics such as authorship, liability, risks of use, damages, prohibited applications and the governance of all ecosystem participants, including developers, implementers and users. Liability is a particularly contentious issue given Mexico’s lack of intermediary liability safe harbours outside of the USMCA and copyright laws. Additionally, the use of AI by government entities, whether as developers or consumers, is a central focus.

At the state level, targeted AI regulatory initiatives are emerging, particularly in Mexico City and Jalisco, reflecting a growing awareness of AI’s challenges. However, these efforts remain limited in scope and resources. While Mexico lacks dedicated AI regulations, existing laws on privacy, IP and civil and criminal matters provide partial frameworks for AI-related issues. Nonetheless, these laws leave significant gaps and require reinterpretation to address the unique complexities of AI, underscoring the need for comprehensive legislation.

In the realm of IP, Mexican law explicitly limits patent protections to human creations. AI cannot be recognised as an inventor, and literary, artistic or software-related works are excluded from patent protection. This restriction highlights the broader challenges in adapting existing legal frameworks to the evolving realities of AI innovation and use. Comprehensive legislation is necessary to provide clarity, close regulatory gaps and promote the responsible development and application of AI in Mexico.

Deepfakes

Deepfakes are partially regulated in Mexico, primarily through existing privacy and copyright laws. Likeness, image and voice are protected as personal data under privacy laws, requiring the data owner’s consent for use. These elements are also safeguarded by the right to self-image, which requires authorisation for their use. Mexico City has a specific law for protecting individuals’ images, with limited exceptions. Additionally, laws addressing violence against women and criminal codes prohibit impersonation and related acts, potentially categorising certain deepfake misuses as digital violence or privacy infringement. However, criminal law in Mexico requires precise application, leaving some cases in legal grey areas. For example, a recent case involving AI-generated pornographic impersonation resulted in acquittal due to insufficient authorship evidence. Concerns about financial fraud, health risks and electoral manipulation are growing, making deepfake regulation a likely legislative priority given Mexico’s high levels of fraud and deception. The broader absence of AI-specific regulations complicates determining rights and responsibilities for AI-generated works, underscoring the need for comprehensive legislation.

Self-Driven Cars and Drones

Self-driven vehicles remain unregulated in Mexico. While some legislative groundwork has been attempted, general transportation and vehicle regulations, along with civil liability and tort laws, currently apply. However, issues specific to autonomous vehicles, such as safety standards, testing protocols, infrastructure requirements and privacy concerns, lack dedicated regulation.

Drones, by contrast, are subject to specific regulations under the Civil Aviation Law and NOM-107–SCT3-2019. This standard categorises remotely piloted aircraft systems (RPAS) based on their maximum take-off weight (MTOW), with heavier drones requiring registration. Restrictions apply to certain areas, including airports, military zones and populated areas. Operational limits also regulate height, speed, night flights, meteorological conditions and proximity to people. Insurance and safety measures are mandated to ensure responsible use.

Internet of Things (IoT)

Mexico does not have specific IoT legislation, but various laws address related aspects. Privacy laws regulate IoT devices that collect personal data, including metadata such as browsing history, geolocation and digital behaviour, when linked to identifiable individuals. Consumer protection laws cover product safety, warranties and transparency about IoT device functionality. Copyright law protects software embedded in IoT devices and confidential trade secrets. The Federal Telecommunications Law governs network security, service quality and connectivity, which are essential for IoT functionality.

The Constitution, along with criminal and national security laws, broadly protects communication secrecy. However, the absence of a dedicated Cybersecurity Law leaves gaps in regulating IoT-specific vulnerabilities. While current cybersecurity legislative drafts do not explicitly address IoT, future statutes are expected to cover these technologies, especially as they relate to critical infrastructure and national security.

Mexico has implemented several soft regulations through the Economy Ministry’s normalisation body, Normalización y Certificación Electrónica (NYCE), to address security and operational aspects of IoT environments. NMX-I-1362-NYCE-2021 establishes a simple encryption procedure to enhance data transmission security for IoT systems. Other relevant standards include NMX-I-4903-NYCE-2021 for smart and sustainable cities, NMX-I-20000-NYCE-2021 and NMX-I-2000-1-NYCE-2019 for service management systems, NMX-I-22301-NYCE-2021 for communication interruptions recovery and NMX-I-22316-NYCE-2021 for recovery capability resilience.

The telecommunications regulator (IFT), currently undergoing restructuring, has also issued various regulations that align with international standards like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). One example is the Guidelines for the Standardization of Products, Equipment, Devices, or Apparatus for Telecommunications or Broadcasting (June 2022), which requires Homologation Certificates for devices. These certificates standardise connectivity, installation, operation and use, ensuring compliance with mandatory technical standards.

Internationally, the Budapest Convention on Cybercrime, not ratified in Mexico, addresses computer-related crimes.

The absence of a comprehensive legal framework for IoT in Mexico creates significant uncertainty for companies deploying IoT solutions. Compliance challenges arise from navigating overlapping, evolving laws that do not account for IoT’s unique characteristics. This gap underscores the need for dedicated legislation to provide clarity and support responsible IoT deployment in the country.

Privacy

IoT devices often collect vast amounts of data, some of which may be considered personal data (e.g., location, usage patterns, biometric data). Companies must ensure they:

• provide clear and comprehensive privacy notices to users;
• collect explicit consent for data collection and processing;
• implement robust security measures;
• collect only the minimum necessary data for specific, legitimate purposes, as IoT devices tend to collect data that may not be necessary, posing a compliance risk; and
• effectively anonymise or pseudonymise data to reduce privacy risks, which can be technically challenging in IoT environments due to the interconnected nature of devices and data flows.

Cybersecurity

Companies must provide device security; securing IoT devices is paramount. Many devices have limited processing power and memory, making it difficult to implement strong security measures. Companies need to address vulnerabilities such as default passwords, lack of firmware updates, insecure communications protocols and physical tampering.

Concerning network security, companies need to implement measures to prevent unauthorised access, data breaches and denial-of-service attacks. Concerning data security, protecting data in transit and at rest is essential. This includes using encryption, access controls and data loss prevention measures. Finally, concerning incident response, having a plan to respond to security incidents and data breaches is crucial, including providing proper notification to users and regulators.

Consumer Protection

Concerning product safety, companies must comply with safety standards and regulations to prevent harm to users. Concerning transparency and information, companies must provide clear and accurate information to consumers about the functionalities of IoT devices, data collection practices and potential risks. Finally, determining liability in case of accidents or damages caused by IoT devices can be complex. Companies need to consider product liability, negligence and other legal issues.

Interoperability and Standardization

Companies must comply with national and international interoperability and standardisation regulations to avoid interoperability and safety issues. Proper risk assessments are crucial for IoT companies, encompassing compliance with general and sector-specific regulations, best practices and a thorough evaluation of their supply chains, components and products.

Domestic and international transfers of personal data in Mexico require the data owner’s informed consent. The privacy notice of the IoT company must specify the transferees (or their category) and the purpose of the transfer. Additionally, the IoT company must provide the transferee with its privacy notice to ensure they process and transfer data only for the consented purposes.

The Privacy Law applies uniformly to all companies handling personal data, including IoT companies, with exceptions for transfers within the same corporate group. In such cases, consent is not required but must be disclosed, and binding internal rules for data protection must be in place.

Sensitive personal data, including financial, patrimonial and biometric data, is subject to stricter regulations under the Privacy Law. This includes express and written consent, restricted databasing and doubled administrative liabilities. However, no additional requirements specifically govern the transfer of sensitive data beyond these general provisions.

In telecommunications and broadcasting, a licence is mandatory for providing public services. These licences, issued under the Federal Telecommunications and Broadcasting Law (FTBL), are granted for up to 30 years and may be renewed. Free-to-air TV, broadcast radio and other services requiring spectrum frequencies must either lease the spectrum from licensed holders or acquire their own spectrum licences, which are auctioned and are subject to annual fees. Satellite telecommunications services necessitate a separate orbital slot concession, granted based on international treaty availability and public tender proceedings.

Conversely, online audio-visual platforms and over-the-top services (OTTs), such as video-sharing platforms, streaming services and platforms featuring user-generated content (UGC), are not classified as telecommunications or broadcasting services. Consequently, they do not require licences to operate in Mexico.

To obtain a telecommunications or broadcasting licence, applicants must file with the IFT, submitting technical plans and documents proving their administrative, legal and economic capacity to provide the proposed services. The IFT has 60 calendar days to evaluate the application, request additional information if needed and, upon satisfaction of all requirements, grant the licence. This process underscores the structured regulatory approach for traditional media while exempting emerging digital platforms from similar obligations.

To obtain a telecommunications or broadcasting licence in Mexico, applicants pay approximately USD1,200. Spectrum licences, granted through public tenders for commercial services, require an upfront payment and annual royalties. These licences last up to 20 years and can be renewed for equal terms. The IFT evaluates applications based on economic proposals, service coverage, quality, innovation, affordability, prevention of market concentration and promotion of competition.

TV, Fixed and Wireless Broadband, Voice and Satellite Communications

OTT platforms, such as streaming and messaging services, are excluded from these regulations. While owning or commercialising telecommunications infrastructure like towers, antennas or fibre optics does not require a licence, only licensed carriers may provide services using such infrastructure. Infrastructure use is regulated as part of the telecommunications network.

The IFT, responsible for enforcing telecommunications and broadcasting regulations, will be dissolved. Its competition and asymmetrical regulation functions will transfer to a new competition and markets authority, while some responsibilities may return to the Secretary of Communications and Transportation.

Other cases where authorisation from the IFT is required include:

• incorporating and operating, or exploiting, a telecommunications service provider without licensee status (resale of services);
• installing, operating or exploiting earth stations to transmit satellite signals;
• installing telecommunications equipment that crosses national borders;
• exploiting the rights of emission and reception of signals and frequency bands associated with foreign satellite systems that cover and can provide services within Mexico (landing rights); and
• temporarily using spectrum bands for diplomatic visits.

The IFT may exempt authorisation for earth stations that meet established standards and do not interfere with other telecommunications systems. These authorisations are valid for up to ten years and can be renewed for equal terms. Applications must be resolved within 30 business days, and if no decision is issued within this period, the authorisation is considered granted.

The FTBL enshrines net neutrality principles, requiring internet service providers (ISPs) to ensure users can freely access legal online content, applications and services without discrimination, restriction or limitation. Exceptions include national emergencies, public safety and preventing network damage. ISPs must inform users about any limits or restrictions and are permitted to manage network traffic, provided such management is reasonable and non-discriminatory.

In 2021, the IFT issued guidelines on traffic management and internet administration to clarify net neutrality principles. These guidelines address traffic management, ISP services, reducing the digital divide, transparency and IFT monitoring. However, the guidelines are criticised for their weaknesses, including ineffective enforcement against practices like paid prioritisation and insufficient transparency regarding network traffic management. ISPs must publish a Traffic Management and Network Administration Policy, but compliance and clarity remain issues.

Mexico’s approach to emerging technologies is inconsistent. Often, regulators and lawmakers adopt a “wait and see” approach, especially in areas like AI and self-driven vehicles. Proper study and engagement with stakeholders, including experts, academics and industry representatives, alongside comparative reviews of international frameworks, could lead to more effective regulation.

In other cases, such as the Fintech Law, Mexico has acted quickly, becoming a global pioneer in regulating financial technology. These swift actions are often driven by pressure from interest groups or political and media attention following high-profile events. However, rapid regulatory responses sometimes fail to account for the nuances of emerging technologies, as seen in recent laws addressing mobility and delivery app workers or temporary service apps, which misunderstand key differences between these technologies and their traditional counterparts.

Mexico currently lacks a centralised and coherent strategy for addressing emerging technologies or fostering technological innovation. However, the creation of a Technology and Innovation Secretary under the new government signals potential changes. Several regulations related to TMT have been identified as government priorities.

For companies incorporating TMT features or operating in the TMT sector, proper legal due diligence and compliance programmes are essential. Navigating grey areas of regulation presents varying levels of comfort depending on the company’s risk tolerance. High-reward emerging technologies inherently carry regulatory risks that must be addressed proactively.

One significant challenge in the technology sector is the lack of contract standardisation, which complicates negotiations. While some sectors have achieved limited standardisation, this remains the exception. The complexity of these agreements can create challenges during litigation, particularly given the recent judiciary amendment in Mexico. Judges may struggle to interpret the technical aspects of technology agreements accurately, often prompting parties to seek arbitration instead. Arbitration provides decision-makers with specialised technical knowledge that is often lacking in the judiciary.

Conversely, some technology contracts are insufficiently technical, leading to ambiguity and broad interpretation by parties or judges. Custom definitions and clauses, often necessary due to the lack of specific regulation, require lawyers with a deep understanding of the technology to tailor agreements properly. Missteps in this process can result in poorly aligned contracts that fail to address the needs of the transaction.

Technology agreements must account for key regulatory and legal elements, including IP rights, data protection and privacy regulations, confidentiality and trade secrets, consumer protection laws (if applicable), and general civil and commercial law. Upcoming cybersecurity regulations are also likely to impact such agreements. Highly regulated industries, such as banking, insurance, finance and healthcare, face stricter requirements for technology acquisitions due to their sensitivity to technological risks. Similarly, technology agreements with government entities are subject to stringent regulations, including those related to procurement, national security and public sector standards.

While most agreements are open for discussion between the parties, there are some elements that must be accounted for, such as (i) copyright and IP rights, (ii) privacy and personal data protection regulations, (iii) confidentiality and trade secrets, (iv) consumer protection laws, if applicable, (v) standard commercial and civil law requirements and, ideally, (vi) cybersecurity regulations.

Service agreements in Mexico primarily focus on the relationship between service providers and their customers, while interconnection agreements regulate the establishment of network connections between telecommunications operators, ensuring interoperability. Both types of agreements play critical roles in the telecommunications ecosystem.

Telecommunications operators are obligated to interconnect their networks with those of other licensed operators upon request. In this regard, operators providing mobile services must enter into interconnection agreements that define the T&C of such interconnection. Elements of interconnection agreements include (i) network access and interoperability; (ii) terms of access and traffic exchange; (iii) pricing and payment terms; and (iv) quality service. These agreements must be registered with the IFT.

Telecommunications operators are free to determine their pricing; however, this does not apply to the preponderant carrier, whose rates are established and published by the IFT.

In the event of a disagreement between the licensees, the IFT is responsible for resolving any outstanding terms or conditions related to the interconnection service requested by the user. On 22 October 2024, the IFT published the minimum technical conditions for licensees and outlined the methodology for calculating interconnection rates, which will be used to resolve any interconnection disputes.

Mexico’s legal framework for trust services, electronic signatures and digital identity is less comprehensive than the EU’s electronic identification, authentication, and trust services (eIDAS) regulation. The Mexican Commercial Code, the basis for electronic commerce, recognises electronic signatures as equivalent to handwritten ones under certain conditions. It distinguishes three types – simple electronic signature, advanced or reliable electronic signature and certified advanced electronic signature, defined as follows.

• Simple electronic signature: consists of electronic data linked or associated with a message, serving to identify the signatory and demonstrate their approval of the message’s content. This signature has the same legal validity as a handwritten signature and is acceptable as evidence in court.
• Advanced or reliable electronic signature: not only identifies the signatory and shows their approval of the message but also meets additional requirements such as being unique to the signatory and under their exclusive control at the time of signing, allowing the detection of any changes to the signature after signing and ensuring that any alteration to the message’s content can be detected after the signature.

• Certified signature (now called eSignature): a signature that has been verified and certified by a certification service provider accredited by the Economy Secretary. These signatures meet the same requirements as uncertified signatures, but with the added assurance of having been validated by a certification service provider.

The 2012 Advanced Electronic Signature Law regulates the legal effects of advanced and certified electronic signatures, granting electronic documents and data messages the same probative value as traditional ones. This is particularly relevant in the fiscal sector, enabling tools like the tax mailbox for declarations, appeals and official notices. These documents hold full evidentiary value under fiscal laws.

The Federal Code of Civil Procedures and Commercial Code also validate electronically generated information as evidence, provided the method of generation, communication or storage is reliable. NOM-151-SCFI-2016 mandates standards for preserving data messages, ensuring the integrity, authenticity and availability of electronic records over time. Additionally, the Consumer Protection Law allows electronic signatures for eCommerce, provided minimum standards are met.

While judicial precedents affirm electronic signature validity, their susceptibility to alteration poses challenges. In disputes, the signatory must prove reliability and authenticity, which often requires technological evidence. For critical agreements, using signatures with the highest probative value is advisable. However, these challenges have slowed adoption.

The USMCA (Section 19.6) mandates that electronic signatures cannot be denied legal validity solely because they are electronic. It prohibits measures limiting authentication methods or compliance demonstrations in disputes and encourages interoperable electronic authentication across parties. Specific transactions may require certifications or performance standards.

Digital Identity Schemes

Mexico is gradually implementing a national digital identity scheme, with the CURP (Clave Única de Registro de Población; Unique Population Registry Code) serving as a cornerstone of its ecosystem.

The regulation of gaming in Mexico is complex and fragmented. While gambling has a long regulatory history, modern video games, particularly those with online elements, are not explicitly addressed.

Key Laws and Regulations

The 1947 Federal Gaming and Sweepstakes Law prohibits games of chance, except for authorised activities like lotteries, casinos and sports betting, which require a Secretary of the Interior (Secretaría de Gobernación; SEGOB) licence. Only permitted games can be advertised. The law primarily focuses on traditional gambling, offering little guidance for modern gaming.

The 2004 Regulations of the Federal Gaming and Sweepstakes Law provide additional rules for authorised gambling but do not address digital or video game-related activities.

Consumer protection laws may ensure transparency and prevent deceptive practices in gaming, particularly regarding in-game purchases and loot boxes.

In-Game Purchases, Loot Boxes and Gambling Elements

Mexico has no specific regulations for in-game purchases or loot boxes. Gambling laws apply only to games of chance, not skill-based games. If a game with loot boxes is deemed predominantly chance-based, it may fall under the Federal Gaming and Sweepstakes Law, requiring SEGOB authorisation.

Online Gambling Regulation

Land-based casinos can obtain licences for online gambling, but there is no framework for standalone online operators, creating a regulatory grey area.

Age Ratings and Content Restrictions

Mexico has mandatory age rating regulations, issued by SEGOB in 2020 and based on the Law on Children and Adolescents. These ratings aim to protect minors from inappropriate content and roughly align with the Entertainment Software Rating Board (ESRB) system in the USA. The ratings use categories A (E), B (E 10+), B15 (T), C (M) and D (Ao), and include required warnings, content descriptions and interactive element disclosures for parental controls. The regulation mandates disclosure of in-game purchases, loot boxes, UGC, shared geolocation and similar interactive features before purchase.

Industry Codes of Conduct and Best Practices

Mexico lacks specific industry codes of conduct for the gaming sector. Developers and publishers often follow international best practices related to development, marketing and player protection.

eSports Regulation

eSports in Mexico remain unregulated, operating in a legal grey area. While existing laws on sports, contracts, IP and consumer protection may apply, there is no clear framework. In 2019, the National Commission of Physical Culture and Sports (Comisión Nacional de Cultura Física y Deporte; CONADE) recognised the Mexican Federation of eSports (Federación Mexicana de Esports; FEMES) as a national sports federation, legitimising esports as a sport. However, challenges persist regarding the regulation of tournaments, leagues, integrity, match-fixing and player contracts.

Gaming in Mexico is not comprehensively regulated. SEGOB oversees games of chance and age ratings for video games, putting economic sanctions in place. Enforcement, however, is inconsistent, particularly for internet-based games and those purchased via digital platforms like Steam, Google Play Store or Apple Store. SEGOB primarily focuses on physical and online casinos, leaving general gaming outside its purview unless gambling becomes an issue.

For example, if eSports betting involves games of chance, it could fall under the Federal Gaming and Sweepstakes Law, requiring SEGOB authorisation. This scrutiny would increase if minors participate, potentially drawing SEGOB’s attention. Despite ongoing discussions, no significant amendments have been implemented to address broader gaming regulation.

In Mexico, software, including apps, video games and other virtual technologies, is protected under copyright as a literary work under the Federal Author’s Rights Law (Federal de Derechos de Autor; LFDA). This protection covers both source code and object code, granting creators exclusive rights to use, distribute and modify their software unless otherwise agreed. However, software is explicitly excluded from patentability under the Industrial Property Act (Ley Federal para la Protección de la Propiedad Industrial; LFPPI). Game developers can protect IP through trade mark and copyright registration, though registration is not mandatory. Registering copyrighted works grants pre-emptive rights, shifting the burden of proof to the challenger. Developers must also secure authorisation for image rights, as the LFDA requires express consent for the use of a person’s likeness. Image rights last for 50 years after the person’s death.

The LFDA also protects creators’ rights in virtual environments, covering digital works, software, non-fungible tokens (NFTs) and virtual assets that meet originality and fixation criteria. It grants economic rights (reproduction, distribution, adaptation) and moral rights (attribution, integrity). Creators should carefully navigate platform terms, licensing agreements and international protections to maintain control over their IP.

Additional IP protections in Mexico include trade marks, domain names and reservations of rights, such as for fictional characters. These rights, akin to trade marks, last five years if renewed. Licensing agreements are critical for monetising trade marks, software and virtual goods.

The rise of NFTs introduces new copyright challenges. Ownership of an NFT does not transfer rights to the underlying content unless specified in licensing agreements. Clear contracts are essential to define rights over reproduction, distribution and adaptation. Licensing models, such as open-source or proprietary licences, govern usage, modifications and redistribution.

Platforms hosting digital art, software and virtual goods can be held accountable for user-posted infringing content unless they promptly remove it upon notification. As digital technologies evolve, Mexico’s legal framework must adapt to address emerging issues in virtual environments and digital assets.

Trade Mark Law: Applicability to Digital Goods and Services

Trade Mark laws in Mexico, governed by the LFPPI, apply to virtual goods and services in much the same way they do to physical goods and services, with some additional considerations for the digital realm. Protection extends to virtual assets such as in-game items, NFTs, and digital services and can also apply to virtual services, such as brand experiences in the metaverse, online gaming, or virtual event hosting, allowing creators and businesses to protect their brands and prevent infringement. The Nice Classification system is used to categorise goods and services for trade mark purposes. Virtual goods (like in-game items, NFTs, or digital products) would likely fall under classes for goods related to software, electronics, or entertainment, while virtual services could fall under services like entertainment, education, or technology-related services. Enforcement is supported by digital platforms and online mechanisms, which help in combating counterfeiting and unauthorised use. As virtual worlds like the metaverse continue to grow, trade mark law will play an increasingly important role in securing brands’ rights in these new digital spaces.

User-Generated Content and Intellectual Property

UGC raises complex issues of IP ownership. Platforms hosting UGC, such as social media platforms, video-sharing sites and virtual worlds, typically operate under licensing models defined in their terms of service (ToS). These agreements often grant platforms rights to use, distribute or modify uploaded content, while users retain underlying copyright. In some cases, users may assign or licence additional rights to platforms, such as the ability to display, share or monetise their content. For paid or contracted creators (eg, influencers or freelance artists), platforms or employers may claim ownership of UGC under work-for-hire provisions or contractual agreements, transferring IP rights to the commissioning entity.

Platforms hosting UGC face liability for infringing content unless they comply with safe harbour provisions. Mexico’s copyright laws, aligned with USMCA standards, include mechanisms similar to the Digital Millennium Copyright Act (DMCA). These allow copyright owners to notify platforms of infringement, requiring platforms to remove or disable access to unauthorised content. Such processes are essential for balancing IP protection and platform responsibilities.

The interplay between UGC and IP rights in Mexico involves ownership, licensing, moral rights and infringement risks. While users retain copyright, they often grant platforms significant rights, potentially limiting their control over their creations. Unauthorised use of third-party materials adds further complexity, requiring careful adherence to licensing agreements, fair use standards and protection of moral rights. Both creators and platforms must navigate these issues to ensure proper management and compliance in the UGC ecosystem.

Mexico does not have a single, comprehensive law specifically regulating social media. Instead, various existing laws and regulations touch upon different aspects of online activity, including social media use. This creates a fragmented legal landscape. Some attempts have been made in the past to enact an overall general law, but they have all failed at Congress.

In summary, the laws and regulations that apply are:

• privacy laws, which provide rules for users’ data collection, data processing, informed consent, data transfers and data rights, where the backbone of social media is user data;
• the LFDA, which protects IP rights, including copyrighted content on social media – it governs copyright infringement, fair use and takedown requests, which are particularly relevant to UGC;
• the Consumer Protection Law, which ensures consumers are protected from misleading advertising and unfair practices and applies to social media marketing and advertising – it also regulates content monetisation by influencers, supplemented by specific guidelines;
• the Mexican Standard (NMX) on e-commerce, which is likely to become a NOM and applies to social media platforms facilitating e-commerce activities, such as the sale of goods or services;
• the Federal Telecommunications and Broadcasting Law (Ley Federal de Telecomunicaciones y Radiodifusión; LFTR), which primarily focuses on telecommunications but indirectly affects social media by regulating ISPs and ensuring network neutrality;
• federal and local penal codes – these address cybercrimes like hacking, identity theft and online harassment, which frequently occur on social media;
• federal and local civil codes, which regulate defamation, libel and general liability issues arising from online speech and interactions on social media;
• USMCA Chapter 19 – although not yet a domestic law, this chapter provides intermediary liability safe harbours for UGC, offering some protection for social media platforms;
• in the near future, a cybersecurity law – depending on what the future law provides, social media would be differently impacted;
• electoral law, which is relevant to organic and paid electoral content; and
• goods and health regulations – these are relevant to organic and paid health-related content, including the advertising and promotion of regulated goods and services such as food, drinks, pharmaceuticals and drugs, weapons and financial services, among other things.

In addition to the foregoing regulations, there are some key challenges for social media and intermediary service providers in Mexico.

• Free speech: Despite strong case law before the Supreme Court, complex content such as electoral content and hate content (including political gender violence), among other types of content, can lead to media pressure and defamation and libel actions that challenge the legality of the content and seek to establish who is liable.
• Intermediary liability and UGC: There is a very important case related to free speech waiting before the Supreme Court, where Google was sanctioned with a USD250 million fine due to UGC considered as defamatory against a user. In another very recent privacy case, the Supreme Court stated that content intermediaries cannot be held liable for UGC. The Mexican Supreme Court recently affirmed the safe harbour for intermediaries (specifically for internet search providers) by limiting their liability for unlawful content. However, it is also important to mention that, in the same court sentence, the intermediary was regarded as a data processor.
• Copyright and UGC: For copyright, a specific law provides a notice and take down intermediary liability system.
• Profiling and targeting via algorithms: The use of algorithms for profiling and targeted advertising raises concerns about privacy and potential discrimination.
• Data monetisation: The monetisation of user data by social media platforms is a complex issue.
• Misinformation, disinformation and fraud: The spread of misinformation and disinformation on social media is a growing concern, with potential implications for public health, elections and social stability. This was seen particularly during the recent elections, and social media is also being used to commit fraud and other crimes, as well as for organised crime recruitment purposes.
• Online harassment and cyberbullying: Addressing online harassment, cyberbullying and hate speech on social media platforms is a significant challenge. Several laws and regulations have already been created to combat these problems.
• Jurisdiction: Determining jurisdiction in legal disputes involving social media can be challenging, especially when users and platforms are located in different countries. Several cases attest to the complexity of this issue.
• Account security: Protecting user accounts from unauthorised access and cyberattacks is a major challenge. The number of accounts that have been hacked on most popular social media platforms has become alarming.
• Minors: Protecting minors and their rights is a sensitive topic, largely because most social media platforms allow access for the +13 age group even though the age of majority is 18. There are no specific Mexican laws that directly impose age verification requirements on social media platforms. Existing laws regarding child protection could be applied in cases of harm to minors.
• New products and features: Most social media platforms are constantly developing products and features, and Mexico has been a beta testing ground due its geographical, demographic, geopolitical and economic relevance.
• Content moderation and safety: Managing harmful or inappropriate content through human or AI intervention remains a significant challenge for social media platforms.

Regulatory oversight for digital content in Mexico depends on the specific law or issue involved, with enforcement typically falling to agencies such as PROFECO (consumer protection), INAI (privacy), COFECE (competition), the Mexican Institute of Industrial Property (Instituto Mexicano de la Propiedad Industrial; IMPI) (IP and copyright), the National Electoral Institute (Instituto Nacional Electoral; INE) (electoral matters), the Federal Commission for the Protection against Sanitary Risk (La Comisión Federal para la Protección Contra Riesgos Sanitarios; COFEPRIS) (human health), and SEGOB. Law enforcement and judicial authorities also play a role in certain cases.

These regulators actively monitor and enforce compliance regarding digital content on social media. To facilitate enforcement, many platforms have established co-operation channels for handling regulatory requests to remove infringing or unlawful content. For example, during the recent Mexican elections, INE requested social media platforms to remove hundreds of thousands of posts violating electoral laws. Similarly, other regulators, such as COFEPRIS, issue takedown requests according to their regulatory scope.